[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [office] Table Protection: Uselessness of table:protection-key
Bob, I think that's right. Perhaps the way to say it is this: (1) the table-cell protection feature is provided as a safeguard against accidental alteration of cells that must be kept fixed in order to achieve the intended purpose, such as use of tables as part of a form for data collection and reporting. (2) the locking of table-cell protection is provided as a safeguard against careless over-riding of the table-cell protections. Cell locking is not a secure protection against unauthorized and undetected alteration of the protected table cells. Knowledge of the password is not required in order for a knowledgeable party to over-ride the locking by manipulation of the XML document directly. (3) The hash code is a barrier against casual discovery of the password by inspection of the XML. Hash codes of short texts such as memorable passwords are easily attacked regardless of the strength of the hash code. To limit the consequences of password compromise, passwords used for locking the table-cell protection should not be used for any other purpose. - Dennis -----Original Message----- From: Bob Jolliffe [mailto:bobjolliffe@gmail.com] http://lists.oasis-open.org/archives/office/200901/msg00008.html Sent: Saturday, January 03, 2009 10:17 To: office@lists.oasis-open.org Subject: Re: [office] Table Protection: Uselessness of table:protection-key Hi 2009/1/3 Patrick Durusau <patrick@durusau.net>: http://lists.oasis-open.org/archives/office/200901/msg00007.html > Dennis, > > While table/cell protection is an expected "feature," I am not sure how far > we should go in terms of warnings to users. In part because any warning we > give will be of necessity incomplete. I think users should simply know that cells are only protected against accidental editing. Currently it is most likely that most users assume that some sort of actual protection is going on here. Perhaps the language of "protection" doesn't help. More neutral language like "intended-read-only" rather than "protected" would be better. Regards Bob [ ... ] > Dennis E. Hamilton wrote: >> >> Forgot to address this to the list >> -----Original Message----- >> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] Sent: Friday, >> January 02, 2009 16:04 http://lists.oasis-open.org/archives/office/200901/msg00006.html >> To: 'Bob Jolliffe' >> Subject: RE: [office] Table Protection: Uselessness of >> table:protection-key >> >> I like your suggestion about a warning in the specification and I included >> that in the final part of my analysis on what needs to be specified if >> table:protection-key-digest-algorithm is going to be useful. >> >> In addition, I just realized that worrying about coming up with hash >> collisions is actually a misplaced concern and the strength of the message >> digest algorithm is irrelevant. The weakness here is that keys are short >> compared to the kinds of messages that digests work well for. >> >> Because keys are short and usually memorable, one can simply attack the >> key >> directly. [ ... ]
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]